BUG/MEDIUM: dns: overflowed dns name start position causing invalid dns error

In dns_read_name() when dns name is used with compression and start position of
name is greater than 255 name read is incorrect and causes invalid dns error.
eg: 0xc11b c specifies name compression being used. 11b represent the start
position of name but currently we are using only 1b for start position.

This should be backported as far as 1.7.

diff --git a/src/dns.c b/src/dns.c
index 78d8f52f2113b3dd41d93107b90bc9e4fab5fa38..1d91e43819d64fe625617f817bd89b761badd634 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
@@ -417,7 +417,7 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
                        if (depth++ > 100)
                                goto err;
 
-                       n = dns_read_name(buffer, bufend, buffer + reader[1],
+                       n = dns_read_name(buffer, bufend, buffer + (*reader & 0x3f)*256 + reader[1],
                                          dest, dest_len - nb_bytes, offset, depth);
                        if (n == 0)
                                goto err;